Latest Information Security news from ireland and around the world

New UK data protection law to offer more control to users

UK citizens will have more control over how their personal information is used by businesses, and the right to demand from social media companies and online traders the deletion of such data, the UK government has decided.

On Monday, the government has released a document outlining details of its new Data Protection Bill, which aims to bring data protection laws up to date and in line with EU law (until Brexit negotiations are concluded, the UK remains a full member of the European Union, and all the rights and obligations of EU membership remain in force).

The new Data Protection Bill

The new Bill will offer more protection for users, more protections but also obligations for companies, more powers for the UK Information Commissioner’s Office (ICO), and a bespoke regime for law enforcement purposes.

Improved data access (easier to find out what personal data an organization holds about them)

Improved data portability (from one service to another)

Being able to ask for their personal data or social media posts to be erased

Protections from negative automated profiling

Organizations in both private and public sectors will be more accountable for the data being processed, will have to carry out an impact assessment to understand the risks involved and mitigation required to prevent inappropriate usage, and will have to prioritise personal privacy rights when handling personal data.

The ICO will continue to have the same investigative powers as before, but will now be able to levy much larger fines for the most serious data breaches (up to £17m or 4% of the company’s global turnover). It will also be able to criminally prosecute companies that, among other things, intentionally or recklessly allow the re-identifying of individuals from anonymised or pseudonymised data

Finally, the new Bill also expands the definition of personal data to include IP addresses, internet cookies and DNA.

Comments on the new Bill

“We are pleased the government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public,” commented Elizabeth Denham, the current Information Commissioner.

Julian David, CEO of techUK, said that the organization “supports the aim of a Data Protection Bill that implements GDPR in full, puts the UK in a strong position to secure unhindered data flows once it has left the EU, and gives businesses the clarity they need about their new obligations.”

Javier Ruiz, policy director at digital rights campaign organisation Open Rights Group, said that they welcome the government’s intention to bring European data protection laws into UK law, but asked the government to explain how these data protection rights will be guaranteed after the UK has left the EU.

“We are disappointed that UK Ministers are not taking up the option in EU law to allow consumer privacy groups to lodge independent data protection complaints as they can currently do under consumer rights laws,” he also noted.

“Citizens face increasingly complex data ecosystems. It is almost impossible for average person to be able to know which organisations hold their personal data. Enabling privacy groups to take independent action will ensure consumers’ rights are properly enforced.”

“The Data Protection Bill comes at a time when many companies, large and small, are attempting to grapple with the gluttonous amount of data we’ve been generating,” commented Lal Hussain, Director IT Applications at Insight UK.

“Transferring GDPR into UK law is a natural progression that will enforce compliance to a new understanding of how data should be handled, forcing organisations to come face to face with the dark data they’ve been carrying since the beginnings of the digital age. How you manage data privacy could become as important to customer retention as the overall buying experience.”

Greg Hanson, VP EMEA cloud, Informatica, noted that UK companies will have to have a comprehensive view over all the relevant data they hold if they are to comply with the new Data Protection Bill.

“UK businesses need to identify which data will be subject to the new law and ensure that it can be easily accessed and deleted if needs be. To do this, they should map out all their data across the whole organisation, no matter where it is stored. Many companies have built up vast databases of personal information over the years, so an automated data discovery system is essential – humans can’t process it all in time,” he pointed out.

“A powerful automated data management strategy is essential if UK businesses are to gain the deep insight they need to ensure they are compliant.”